Risky Assets and Traffic Still Prevalent in Leading Healthcare Orgs

Internet Data Bytes: Healthcare

Welcome to Expanse’s new blog series, Internet Data Bytes! This series will examine trends and cybersecurity risks Expanse regularly uncovers through our unique observations of Internet-accessible systems and services belonging to the world’s largest and most complex organizations.

For this edition, we’re taking a quick dive into what a typical week looks like for the global enterprise networks of six Fortune 500 healthcare companies. Over the course of one week in June 2020, Expanse monitored for Internet traffic anomalies associated with each of these organizations. Each company generates more $10 billion in annual revenue and has over 10,000 employees. Expanse removed scanner traffic from our analysis, which means we’ve looked only at targeted communications. 

Given the COVID-19 pandemic and the potentially catastrophic implications of network disruption, it’s never been more important to ensure that the networks of healthcare companies are locked down against malicious intrusion. But unfortunately, Expanse uncovered that these organizations — despite being some of the largest and most well-resourced in the world — had risky Internet assets and communications that could leave them vulnerable to attack. In fact, we even found significant indicators of compromise, such as likely in-progress brute-force password-guessing attacks and regularly allowed external communications with readily exploitable servers present on their attack surfaces.

Read on for details on the assets and communications that Expanse discovered and why they are so dangerous. 

Exposed RDP Servers

Half of the companies that Expanse examined had multiple targeted communications with exposed Remote Desktop Protocol (RDP) servers. RDP servers allow a user to remotely connect with a device and interact with it via a graphical interface. While RDP is a useful tool, it was never intended to be public-facing and is a popular target for attackers when left exposed. It is best practice to never have RDP accessible over the public Internet.

Expanse discovered that 15% of these RDP servers were experiencing ongoing brute-force password-guessing attacks without Network Level Authentication enabled. Brute-force password-guessing attacks are a common attack method leveled against RDP; apart from illustrating the immediate risks posed to these specific organizations, the prevalence of these attacks demonstrates just how easy it is for bad actors to discover exposed RDP servers and begin to launch attacks. 

Exposed SMB Servers

Expanse found that one-third of the healthcare companies examined allowed daily external communications exposing SMBv1 on the public Internet. The Server Message Block (SMB) protocol is primarily used for sharing printers, files, and access to certain ports within a local network. SMB servers have been the targets of some of the most wide-scale cyberattacks in history, such as Wannacry and Petya. In 2018, for example, a Wannacry attack on the U.K.’s National Health Service effectively shut down that nation’s public healthcare system, resulting in 92 million pounds in damages and 19,000 canceled appointments.

Microsoft deprecated SMBv1 in 2014; best practice is to ensure that all instances of SMB are patched, and even once patched, they should never be exposed on the Internet. Because the healthcare organizations examined had external connections to SMBv1, it is possible that data exfiltration by external bad actors was already in progress. 

Communications With Iran

One-third of the organizations presented regular, outbound communications with servers and devices based in Iran, despite the fact that they had no ongoing operations in that country. This indicates that the organizations lacked consistent enterprise-wide filtering controls. Given the ongoing tensions between the United States and Iran, as well as Iran’s history of launching nation-state attacks against U.S. government agencies and U.S.-based enterprises, any unsanctioned communications with Iran should be concerning to enterprise security leaders. 

Outbound Tor Activity

Every healthcare organization Expanse analyzed had outbound Tor activity originating from its network. The majority of this activity came from enterprise networks outside of the U.S. For the organizations that Expanse studied, five or fewer network segments were responsible for more than 92% of the observable Tor traffic. 

While Tor is a well-known anonymization service and is popular for certain legitimate uses, it is too easily compromised by malicious actors to be permitted on an enterprise network. Similar to the communications with Iran outlined earlier, outbound Tor activity indicates a lack of consistent application of security policies. 

The Bottom Line

The risky assets and communications Expanse uncovered at these Fortune 500 healthcare organizations demonstrate that even the world’s largest (and, during COVID-19, most critical) organizations tend to lack consistent and global application of baseline security policies and controls. For organizations that Expanse works with, we most often find the root cause of these security risk symptoms is that organizations do not have the means to continuously discover and monitor all of their Internet attack vectors. 

If you don’t know every Internet-exposed asset and service belonging to your organization, it’s impossible to protect them. You can have the most robust policies imaginable but if you don’t have a complete, current, and accurate inventory, you cannot fully secure your organization.